When you create a piston, it automatically creates an external URL to fire the piston. Is there a way to disable this? Some pistons may fire off some security-related features (controlling locks/garage doors). I am still a bit of a newbie but is this a concern for anyone else? I assume despite it being an HTTPS request, anyone that gets a hold of that URL can execute it.
Am I just being paranoid?
If you inadvertently share it then yes itâs possible that it can be executed by someone else. If in doubt, pause the original piston and create a duplicate of it and use the new URL, delete the old one.
Although what you describe is possible, it is highly unlikely. Also if you design your security-related pistons correctly, they wonât fire at all unless certain very specific conditions are met. Even if someone got ahold of my garage door and lock/unlock piston URLs, they absolutely wonât do anything unless there is an authorized presence or some other form of authorization.
Finally, just in case I had a brain cramp when drafting a piston, I include notifications for any significant security-related events just to be sure I know when these things happen.
my two entrance doors, garage door and house alarm systems are controlled by pistons but just executing them wonât do anything. I can even share the links publicly but wonât do anything besides annoying me LOLâŚ
Executing a piston is not like your account is being hacked.
yes you are right, this is not really safe but your piston should not be like that anyway.
My alarm system is triggered by a Simulated Switch that I need to push in ST APP or ActionTiles screen.
Unless my account is hacked no one can do that.
And when I come back, I have 60 seconds to disarm the system and again with another switch (password protected on IPAD Action Tiles screen,) triggers my alarm piston and executing that piston with url link wonât do anything.
âyes you are right, this is not really safe but your piston should not be like that anyway.â can you describe how it should be built? or maybe show an example? i worry about pistons that control certain elements of my home being publicly accessible. but am unsure what the best way to handle that is.
I think what @ike2018 means is that donât let a piston actually execute anything security related. The use of a simulated switch to kick off the piston means that if someone ever got ahold of that url, unless that simulated switch is pushed, they can do nothing. Personally I donât have any pistons that unlock or disarm any security related stuff, but I have several pistons that will lock a door if I forget to lock it, or that play a notification if Iâve left the door unlocked.
So your piston would be something like
If simulated piston is turned on, unlock door/open garage door
and If simulated piston is turned off, lock door/close garage door.
I disagree with @josh_slade that you shouldnât âlet a piston actually execute anything security related,â but fully respect that he may have different standards or levels of comfort with respect to his own security. I have a variety of security related pistons and feel very secure in their use despite the existence of an external URL. The reason is that all of my pistons include triggers, conditions and/or restrictions that will prevent an unwanted execution.
As an example, I have a piston that automatically opens our garage door when we arrive home (and closes it when we leave). But it does so based on explicit triggers that restrict if and/or when the door will open. Look again at the example @ike2018 provided above.
Execute
with GARAGE DOOR
do OPEN
End with
The reason he has a problem with this example is that the piston contains no triggers or conditions, and the door could be opened by anyone having access to the external url. But expand on that piston:
If
myPresenceSensor changes to Present
and
myCar is with 1000 yards of Home
and
time is between 5pm and 7pm
and
VacationMode is off
then
with Garage Door
open
end with
endif
Now if anyone did have the external URL, it wouldnât do them any good.
My security pistons are actually quite a bit more sophisticated than this, with layers of extra checks and notifications depending on their function. Build your pistons with this and your personal level of comfort in mind.
Hi
@Josh_Slade personally I use security stuff with webcore BUT with care. As @bthrock said, they all depend on other conditions and triggers⌠So having my URL by other people WONâT do any harm.
and @mfive, unless your Webcore and/or ST account is hacked, your house is actually pretty secure.
To do something to our houses through smart home systems, you need atleast two people:)))))
A hacker - who does stuff in front of a computer
A burglar - who is going to come and take stuff
if I hacker and a burgler walks into a bar, you are talking about a serious level organized crime team and most likely they wonât hit houses, they will hit big stores.LOL
Anyway,
The garage example:
Piston can be executed in three ways (if more, I donât know about it)
a) A trigger in the piston.
b) Another piston executing this piston.
c) A piston without a trigger, that uses URL link provided by piston itself.
in my example (what not to do) garage door can be opened by clicking on the URL link.
Yes if your garage door has no trigger but just executing your piston, some one with that link CAN EASILY open your garage door.
But if you piston is something like this,
IF presence sensor changes to present
With garage door
Turn ON/Open
Now for this piston to be triggered your sensor needs to change TO PRESENT
other than that, NOTHING will execute this piston. So nothing can open your garage door.
Even if I give you the URL of the piston you wonât be able to do anything.
I have a piston that makes an annoucement in the house. âUrgent callâ the url link is used by my assitants. If for any reason they canât reach me and itâs urgent, they click on the link and I hear the annoucement all around the house. Now what if someone else getâs this link. I can just pause or even delete the piston. All they can do is, keep clicking and annoying me LOL
Of course I would not use this for unlocking the house.
As long as your security pistons donât JUST depend on URL executing you are pretty safe anyway. (account hacking is a different ball game)